Weekly Intelligence Trends and Advisory – 18 July 2021

Weekly Attack Type and Trends

Key intelligence signals

• Attack Type: Phishing, Malware Implant, Ransomware, Vulnerabilities & Exploits, Social Engineering, Data Exfiltration, DDoS, Impersonation
• Objective: Data Theft, Payload Delivery, Data Encryption, Financial Gains, Operational Disruption
• Business Impact: Data Loss, Financial Loss, Reputational Damage, Operational Disruption
• Ransomware – Everest | Malware – Bandook, zloader, BIOPASS RAT
• Everest – A data leak site/ ransomware.
• Bandook – A Info-stealer RAT.
• zloader – A Backdoor Trojan.
• BIOPASS RAT – A rat with new infection technique.

Behavior – Most of these malware use phishing and social engineering techniques as their initial attack vector. Apart from these techniques, exploitation of vulnerabilities, and defence evasion tactics are being observed.

Insights

• The Everest ransomware operators gained notoriety for promoting their site by contacting security researchers and journalists as well as emailing competitors of breach victims to pressure and extort money. The operators were seen listing new data leaks during the observation period.
• Written in both Delphi and C++, Bandook has a history of being sold as a commercial remote access trojan (RAT) dating back to 2005. Since then, numerous variants have emerged on the threat landscape and use in different surveillance campaigns.
• Zloader malware has resumed its campaign with a new technique that downloads and executes malicious DLLs (Zloader) without any malicious code present in the initial spammed attachment macro.
• Online gambling companies are being targeted by a new BIOPASS RAT which, in addition to its predictable features like file assessment and data exfiltration takes the novel approach of using live streaming to spy on the screens of its victims.

Threat Actor in Focus

BIOPASS RAT: New Malware Sniffs Victims via Live Streaming

Suspected Threat Actors: MISSION2025

• Attack Type: Watering hole
• Ransomware / Malware: BIOPASS RAT
• Objective: Data Exfiltration, Shell Command Execution, Remote Desktop Access, Capture Screen
• Target Industry: Consumer Service
• Target Geography: China
• Target Technology: Microsoft Silverlight, Adobe Flash Player, Open Broadcaster Software (OBS)
• Business Impact: Data Loss, Operational Disruption

Summary

BIOPASS RAT is a sophisticated type of malware that is implemented as Python scripts. The RAT possesses basic features found in other malware, such as file system assessment, remote desktop access, file exfiltration, and shell command execution. The RAT is notable for its focus on stealing private data from web browsers and instant messaging apps chiefly popular in Mainland China, including QQ Browser, 2345 Explorer, Sogou Explorer, and 360 Safe Browser, WeChat, QQ, and Aliwangwang.

Besides featuring an array of capabilities that run the typical spyware gamut, BIOPASS is equipped to establish live streaming to a cloud service under the attacker’s control via Real-Time Messaging Protocol (RTMP), in addition to communicating with the Command & Control (C2) server using the Socket.IO protocol.

Insights

• What makes BIOPASS RAT particularly interesting is that it can sniff its victim’s screen by abusing the framework of OBS Studio, a popular live streaming and video recording app, to establish live streaming to a cloud service via RTMP. In addition, the attack misuses the object storage service (OSS) of Alibaba Cloud (Aliyun) to host the BIOPASS RAT Python scripts as well as to store the exfiltrated data from victims.
• BIOPASS RAT is a sophisticated type of malware that is implemented as Python scripts. It possesses many features, such as the ability to use scheduled tasks as a method of maintaining persistence in the infected system. The malware abuses publicly available tools and cloud services for its malicious behavior.

Rise in Malware/Ransomware and Phishing

Epsilon Hydraulique Impacted by Everest Ransomware

• Attack Type: Ransomware, Data Leak
• Target Industry: Farm and Garden Machinery
• Target Geography: France
• Ransomware: Everest Ransomware
• Objective: Data Exfiltration, Financial Gains
• Business Impact: Data Leak, Erosion of Intellectual Property, Financial Loss, Reputational Damage

Summary

CTI observed Epsilon Hydraulique – a French machinery-making company – impacted by the Everest ransomware group/ leak site. It is suspected that the operators have exfiltrated a large amount of business-critical and sensitive data. The threat actor in the advertisement, published on their data leak site, released approximately 45 gigabytes of suspected stolen data.

Source: Dark web

Insights

• The data is first made available for sale to potential buyers. As the ransom payment gets delayed the ransomware operators resort to publishing data as time goes on. Ultimately, if no ransom is paid and the data is not purchased, the data is released to the public for free for anyone to download.
• Most ransomware providers often put a lot of effort to establish their reputation and attempt to maintain some level of integrity likely to encourage and facilitate ransomware payments.

Latest Cyber-Attacks, Incidents, and Breaches

TrickBot Malware Returns with a new VNC Module to Spy on its Victims

• Attack Type: Malware Implant
• Attack Vector: Phishing
• Threat Actor: Wizard Spider
• Target Geography: Worldwide
• Malware: TrickBot
• Objective: Data Exfiltration, Payload Delivery, Lateral Movement
• Business Impact: Data Loss, Operational Disruption

Summary

Researchers have discovered an updated VNC module that seems to be in active development, as its maintainers are updating it at a very fast pace. The new capabilities discovered are used to monitor and gather intelligence on victims, using a custom communication protocol to hide data transmissions between command & control servers and victims — making attacks difficult to spot.

The botnet has since survived two takedown attempts by Microsoft and the U.S. Cyber Command, with the operators developing firmware meddling components that could allow the hackers to plant a backdoor in the Unified Extensible Firmware Interface (UEFI), enabling it to evade antivirus detection, software updates, or even a total wipe and reinstallation of the computer’s operating system. The threat actor has been found actively developing an updated version of a module called “vncDll” that it employs against select high-profile targets for monitoring and intelligence gathering. The new version has been named “tvncDll.”

Insights

TrickBot has evolved to use a complex infrastructure that compromises third-party servers and uses them to host malware. It also infects consumer appliances such as DSL routers, and its criminal operators constantly rotate their IP addresses and infected hosts to make disruption of their crime as difficult as possible.

The new module is designed to communicate with one of the nine command & control (C2) servers defined in its configuration file, using it to retrieve a set of attack commands, download more malware payloads, and exfiltrate gathered from the machine back to the server. Additionally, the researchers said they identified a “viewer tool,”

Vulnerabilities and Exploits

SolarWinds Serv-U Managed File Transfer Server and Serv-U Secured Security Advisory

• Target Geography: Global
• Target Technology: Serv-U Managed File Transfer Server and Serv-U Secured FTP
• Vulnerabilities: CVE-2021-35211 (CVSS Base Score: 9.8)
• Vulnerability Type: Remote Code Execution (RCE)
• Impact: Confidentiality (High), Integrity (High), Availability (High)

Summary

SolarWinds has patched a RCE vulnerability in its Serv-U file transfer products after Microsoft observed exploitation against a limited, targeted set of customers by a single threat actor. The remote memory escape flaw (CVE-2021-35211) affects both the Serv-U Managed File Transfer Server and Serv-U Secured File Transfer Protocol, according to a security advisory issued by SolarWinds. The enterprise IT software vendor said it does not yet have an estimate of how many customers may be directly affected by the vulnerability or the identity of any potentially affected customers.

Insights

• SolarWinds said the flaw is completely unrelated to the Sunburst supply chain attack that unfolded at the tail end of 2020, in which nation-state attackers compromised some of the major SolarWinds clients including US government agencies via vulnerabilities in SolarWinds’ Orion software.
• The company has warned Serv-U customers that the throwing of exceptions within their environment could be a sign of compromise – although there are other potential causes – because exploitation takes the form of Return Oriented Programming (ROP) attacks. Another potential indicator of compromise is potentially suspicious connections via SSH. Customers are safe from attacks exploiting the vulnerability when SSH is disabled.